Master Subscription Agreement

1.1 Supplier

Certif-ID International GmbH Scheffelstraße 58a 50935 Köln Germany ("Certif-ID", "Supplier", "we", "us")

1.2 Customer

The legal entity identified in an applicable Order Form. ("Customer", "you")

1.3 Effective Date

This Agreement becomes effective on the effective date of the first applicable Order Form ("Effective Date").

This Agreement governs Customer's access to and use of the CredSure platform and related Services. Customer Affiliates may subscribe under separate Order Forms referencing this Agreement.

3.1 Affiliate

Any entity controlling, controlled by, or under common control with a party.

3.2 Confidential Information

Any non-public business, financial, commercial, technical, security, operational, legal, or compliance-related information disclosed by one party to the other that should reasonably be understood as confidential.

3.3 Customer Data

Any data submitted to, stored in, transmitted through, or otherwise processed within the Services on behalf of Customer.

3.4 Order Form

A written or electronic ordering document referencing this Agreement.

3.5 Services

The CredSure platform and associated contracted modules, support, integrations, APIs, implementation services, and related offerings are purchased under an Order Form.

3.6 Trust Center

Certif-ID's online trust and assurance portal contains available privacy, security, diligence, and compliance materials.

3.7 DPA

The existing CredSure Data Processing Addendum / Data Processing Agreement in force between the parties, as updated from time to time in accordance with its terms.

4.1 Contract Stack

The contract stack consists of:

• applicable Order Form(s)
• the existing DPA for privacy and Personal Data Processing matters
• this Agreement
• any expressly incorporated schedules

4.2 Order of Precedence

If there is a conflict between documents:

• Order Form for local commercial scope, subscribing entity details, rollout specifics, selected Services, pricing, and operational onboarding matters only
• the DPA for privacy, security, Personal Data Processing, retention, deletion, Subprocessors, and transfer matters
• this Agreement for all other commercial and legal matters
• any expressly incorporated Service Schedule solely for the service topic it governs

4.3 No Implied Amendment

No silence in an Order Form, support communication, Trust Center material, or sales representation shall amend this Agreement or the DPA unless expressly agreed in signed writing.

Services may include:

• digital credential issuance
• credential verification
• recipient access portals
• analytics and reporting
• APIs and integrations
• onboarding services
• customer support
• implementation services

Specific Services purchased shall be identified in the applicable Order Form.

Each Order Form forms part of this Agreement. An Order Form may specify:

• subscribing legal entity
• country or Affiliate
• rollout scope
• package purchased
• fees
• term
• implementation timetable
• local requirements

No Order Form silently amends liability, privacy, confidentiality, or IP terms unless expressly stated.

7.1 Fees

Fees are stated in the applicable Order Form.

7.2 Payment Terms

Unless otherwise agreed:

• invoices are payable within thirty (30) days
• overdue undisputed amounts may accrue lawful interest
• Customer is responsible for applicable taxes, excluding taxes on Certif-ID income

7.3 Suspension for Non-Payment

Certif-ID may suspend Services for material non-payment after written notice and reasonable cure opportunity.

8.1 Agreement Term

This Agreement begins on the Effective Date and continues until terminated.

8.2 Order Form Term

Each Order Form continues for its stated term and renews as specified therein.

Customer shall:

• use the Services lawfully
• maintain credential security for Customer-managed accounts
• ensure authorised users comply with this Agreement
• provide accurate onboarding information
• use reasonable efforts to prevent unauthorised access
• remain responsible for the legality of Customer Data
• manage permissions and configurations under Customer control, including identity integrations where applicable

Customer is responsible for settings under its control, including user permissions, administrator roles, and federated identity configurations.

10.1 Existing DPA Applies

Where Certif-ID processes Personal Data on behalf of Customer, the existing DPA applies automatically.

10.2 DPA Governs Privacy Matters

The DPA governs, without limitation:

• controller / processor obligations
• security obligations
• Subprocessors
• international transfers
• retention, return, and deletion
• audit rights relating to Personal Data Processing
• liability and indemnification relating to privacy and data protection matters

10.3 Prevailing Privacy Terms

In the event of any inconsistency between this Agreement and the DPA regarding Personal Data Processing, the DPA shall prevail.

Certif-ID shall maintain technical and organisational measures appropriate to the risks associated with the Services. Routine diligence may ordinarily be satisfied through the Trust Center. Detailed commitments relating to Personal Data Processing are set out in the DPA.

Certif-ID maintains a Trust Center containing available assurance materials, which may include:

• privacy materials
• security summaries
• certifications
• questionnaires
• Subprocessor information
• policy overviews

Unless expressly incorporated in writing, Trust Center materials are informational and do not independently amend contractual obligations.

13.1 Obligations

Each party shall:

• protect Confidential Information using reasonable care
• use Confidential Information only for purposes of this Agreement
• restrict disclosure to personnel, advisers, contractors, auditors, or Affiliates with a need to know and confidentiality obligations

13.2 Exclusions

Confidential Information excludes information that:

• becomes public without breach
• was lawfully known before disclosure
• is independently developed
• is lawfully received from a third party without duty of confidence

13.3 Compelled Disclosure

A party may disclose Confidential Information where required by law or regulator, using reasonable efforts to provide prior notice where lawful.

13.4 Survival

Confidentiality obligations survive termination for five (5) years, and trade secrets for so long as protected by law.

14.1 Certif-ID Ownership

Certif-ID owns all right, title, and interest in:

• Services
• software
• documentation
• branding
• methodologies
• improvements

excluding Customer Confidential Information

14.2 Customer Ownership

Customer retains ownership of Customer Data.

14.3 Feedback

Customer feedback may be used by Certif-ID without restriction provided no Customer Confidential Information is disclosed.

Customer shall not:

• reverse engineer except where non-waivable law permits
• resell access unless authorised
• interfere with security or service integrity
• upload malware
• attempt unauthorised access
• use the Services unlawfully

16.1 Service Warranty

Certif-ID warrants that Services will materially perform in accordance with documentation.

16.2 Standard of Care

Certif-ID warrants that Services will be provided with reasonable skill and care.

16.3 Disclaimer

Except as expressly stated, Services are provided on an as-available basis. Certif-ID does not warrant uninterrupted or error-free operation.

17.1 By Certif-ID

Certif-ID shall defend and indemnify Customer against third-party claims alleging that the Services, when used in accordance with this Agreement, infringe intellectual property rights. Exclusions include claims arising from:

• Customer modifications
• combinations not supplied by Certif-ID
• misuse
• use contrary to documentation

Certif-ID may: • procure continued rights of use • modify Services • replace affected functionality • terminate affected Services and refund prepaid unused fees for impacted portions

17.2 By Customer

Customer shall defend and indemnify Certif-ID against third-party claims arising from:

• unlawful Customer Data
• Customer misuse
• Customer breach of law
• unlawful instructions given to Certif-ID

17.3 Privacy Carve-Out

Liability and indemnification relating specifically to Personal Data Processing, data protection breaches, regulatory exposure, Data Subject claims, Subprocessor responsibility, and related privacy matters shall be governed by the DPA.

17.4 Procedure

The indemnified party shall promptly notify the indemnifying party and provide reasonable cooperation.

18.1 General Cap

Except as stated below, each party's aggregate liability arising from this Agreement and all Order Forms shall not exceed the fees paid or payable in the twelve (12) months preceding the event giving rise to liability.

18.2 Higher-Risk Cap

For liability arising from:

• confidentiality breach
• indemnified claims
• privacy and data protection claims to the extent the DPA links such claims to the higher-risk cap in this Agreement

aggregate liability shall not exceed two (2) times the cap in Section 18.1.

18.3 Unlimited / Non-Excluded Liability

Nothing limits liability for:

• fraud
• wilful misconduct
• death or personal injury where non-excludable
• deliberate unlawful misuse of Personal Data
• liabilities that cannot legally be limited

18.4 Excluded Losses

Except where prohibited by law, neither party shall be liable for:

• indirect loss
• consequential loss
• loss of profits
• loss of goodwill

18.5 DPA Interaction

Where the DPA contains specific privacy liability allocation, contribution, indemnification, or reimbursement language required by Applicable Data Protection Laws, that DPA language shall operate alongside this Agreement and prevail to the extent necessary for privacy matters.

Certif-ID may suspend Services where reasonably necessary for:

• security threats
• unlawful use
• material payment default after notice

Reasonable efforts shall be used to limit scope and duration.

Either party may terminate for material breach not cured within thirty (30) days after written notice. Either party may terminate where the other becomes insolvent or ceases business operations.

Upon termination or expiry:

• Customer access rights cease subject to agreed transition support
• Customer Data handling follows the DPA
• accrued payment obligations survive
• surviving clauses remain effective

Termination of one Order Form does not automatically terminate all Order Forms unless expressly stated.

Certif-ID may identify Customer as a customer only with prior written consent or separate written agreement.

This Agreement is governed by the laws of Germany. Exclusive jurisdiction shall be the courts of Cologne (Köln), Germany, unless mandatory law requires otherwise. The parties shall first use reasonable good-faith efforts to resolve disputes through designated representatives.

This Agreement together with applicable Order Forms, the DPA, and incorporated schedules forms the entire agreement regarding the Services.

Amendments must be in writing signed by authorised representatives, except non-material administrative updates not reducing protections.

This Agreement may be executed in counterparts and electronically.